When the business leaders start to ask questions about how the organization’s security looks, it’s time to make sure they grasp what’s going on and what needs to happen, so we can do it right.

Email a friend

To

From

Thank you

Sorry

After the departure of the Equifax CEO for their ongoing security event, it seems many CEOs are starting to wake up and notice that cybersecurity might be something they should care about. Today it now seems that if you’re the CEO of an organization that has a large cybersecurity failure, it can put your job in jeopardy.

This probably shouldn’t surprise anyone who is paying attention: there have been plenty of warnings about just this over the years. The difference this time is it seems to be real. The easiest way to get your CEO to care about cybersecurity is for real consequences to exist. It’s easy to ignore a problem when it won’t really affect you in a negative way.

There are many security groups that have been waiting for this to happen. Many of us knew that someday security would get the attention it deserves from the boardroom. It’s finally time to save the day. We can imagine the CEO showing up and asking for help while the security team flies into action and gets to be the hero everyone deserves!

However, if you’re in an organization with a CEO that suddenly cares about security, you should be mindful that nothing is free. If the CEO is asking for help from the security team, it’s time to make sure they understand the current and future funding of the security group. It can be exciting to get attention, but make sure you think with the future in mind. It’s time to hold out the hat.

It’s very common in the security space to see a leader come to us and ask if something can be done. For example, maybe you need to better protect your database, or maybe that customer data should be locked up. That old Windows 95 machine in accounting? Yeah, let’s get rid of that thing. This is the point at which we must stop being security leaders and start being business leaders. We’re very good at saying “yes” to everything – we’re less good at executing on all those yes answers. Doing 10 things half way isn’t better than doing one thing well.

There’s a tendency for security groups to try to do things without adding any new resources. If a leader asks if something can be done, the answer should never be “yes.” It should always be “to do that we would need…” Anything is possible if you have enough resources. What you’re probably being asked is “can we do this for free” – which of course has an answer of “no.” The options are always: “stop doing something else,” “get more resources” and “do nothing.” There is no secret option where you can do more things for free.

Every competent security group on the planet is already overworked. Adding more work isn’t free, it has a very real cost to the team…even if what you want to do doesn’t technically cost money for a new tool or service it will cost you resources. If you take on new tasks, you either have to stop doing something old, or get additional resources to do the extra thing. It can be hard to stop doing things, so more resources will typically be the first request.

It’s never easy to say no. It’s never easy to ask for more. There’s never been a better time than now. All the events of the past few months have led us to right now, where we can start to have serious conversations about the security resources we need to make a difference. When the business leaders start to ask questions about how the organization’s security looks, it’s time to make sure they grasp what’s going on and what needs to happen, so we can do it right.

Of course, it goes without saying that you had better make sure whatever you ask for will make a difference. You only get to hold the hat out one time. If you don’t focus on the right priorities the next time you look for a handout, it’s going to be in the bread line.

This article is published as part of the IDG Contributor Network. Want to Join?